LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Topic: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Re: Log Entry
Michael Loftis <[log in to unmask]>
Tue, 4 Sep 2012 08:45:02 -0600
text/plain (51 lines) 
Really far off topic for this list.  The log line indicates though
that the webserver simply sent a redirect in response to the POST
operation.  The attempt looks like they were trying to exploit a hole
in the way a lot of systems setup PHP using CGI by attempting to pass
command line arguments to PHP to get it to spit out the /etc/passwd
file.  It isn't likely that it worked since most setups use PHP as an
internal server module not CGI mode PHP.  Even if you use CGI mode php
you still have to have it setup insecurely and you'd have to not be
using shadow passwords for it to have exposed anything more than user
names.

On Tue, Sep 4, 2012 at 6:05 AM, Tolliver <[log in to unmask]> wrote:
> Hello,
>
> This is what was in my log this morning.
>
> I checked the access log and It is in there.
>
> Here it is:
>  "POST
> /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n
> HTTP/1.1" 302 503 "-" "Mozilla/5.0"
>
>
> Is there a way of determining if the Server has been compromised?
>
>
> Thanks.
>
> ############################
>
> To unsubscribe from the LSTSRV-L list:
> write to: mailto:[log in to unmask]
> or click the following link:
> http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1



--

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

############################

To unsubscribe from the LSTSRV-L list:
write to: mailto:[log in to unmask]
or click the following link:
http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1

ATOM RSS1 RSS2